What Is the Maryland Online Data Privacy Act?
Maryland Governor Wes Moore signed the Maryland Online Data Privacy Act (MODPA) into law on 9 May 2024 as Senate Bill 541. The statute took effect on 1 October 2025, though it only applies to processing activities occurring on or after 1 April 2026.
MODPA is widely regarded as one of the strictest US state privacy laws enacted to date. Where most state frameworks follow the Virginia opt-out model with relatively broad allowances for data use, Maryland imposes tighter constraints on data collection, sensitive data handling, and advertising directed at children.
The law is enforced exclusively by the Maryland Attorney General through the Consumer Protection Division. There is no private right of action.
Who Does MODPA Apply To?
MODPA applies to organisations that conduct business in Maryland or target products and services to Maryland residents. Two thresholds determine applicability, and meeting either one brings an organisation within scope.
| Threshold | Requirement |
|---|---|
| Volume-based | Process personal data of at least 35,000 Maryland consumers per year (excluding data processed solely to complete a payment transaction) |
| Revenue-based | Derive 20% or more of gross revenue from the sale of personal data and process data of at least 10,000 Maryland consumers per year |
Nonprofit organisations, certain state-regulated insurance entities, and institutions subject to GLBA or HIPAA receive partial or full exemptions. Small businesses processing data only to complete payment transactions fall outside the law's reach entirely.
Data Minimisation: MODPA's Defining Feature
Data minimisation is the provision that sets MODPA apart from every other US state privacy law. Most frameworks allow broad data collection so long as consumers can opt out. MODPA reverses that approach.
Controllers may collect personal data only when it is "reasonably necessary and proportionate" to provide or maintain the specific product or service a consumer has requested. Data collected for secondary purposes - such as profiling or cross-site advertising - falls outside this standard unless the consumer explicitly consents.
For sensitive data, the bar is even higher. MODPA restricts processing of sensitive personal data to what is "strictly necessary" to deliver the requested product or service. This means a website cannot collect biometric identifiers, precise geolocation, health data, or genetic information just because a privacy policy discloses it. The collection must be tied to a genuine functional need.
Sensitive Data: No Sale Under Any Circumstances
MODPA is the first US state privacy law to ban the sale of sensitive data outright, regardless of consumer consent. Even if a user affirmatively agrees, a controller may not sell their sensitive personal data.
The definition of sensitive data under MODPA is broad:
- Racial or ethnic origin
- Religious beliefs
- Health-related data
- Genetic and biometric data
- Precise geolocation
- Sex life or sexual orientation
- Citizenship or immigration status
- Status as transgender or nonbinary
- Personal data of children under 13
This prohibition creates a hard boundary that consent alone cannot overcome - a departure from CCPA and most other state frameworks where consumer opt-in can authorise sensitive data sales.
Children's Data and Targeted Advertising Restrictions
MODPA introduces some of the strongest protections for children's data among US state laws. The law prohibits targeted advertising directed at consumers under 18 and bans the sale of data belonging to minors entirely.
The standard of knowledge is deliberately broad: a controller must comply if it "knew or should have known" that the consumer is under 18. This contrasts with COPPA, which applies only to children under 13 and requires actual knowledge. Maryland's approach places a heavier burden on businesses to identify and protect younger users.
Organisations running analytics or marketing pixels on sites likely to attract minors should review whether those scripts collect data that could be used for targeted advertising or profiling. Cookies such as _fbp, _gcl_au, and similar advertising identifiers would need to be suppressed when the visitor is or may be under 18.
Consumer Rights Under MODPA
MODPA grants Maryland consumers a set of rights broadly consistent with other state frameworks, though some carry additional weight given the law's minimisation requirements.
Right to Access and Confirm
Consumers can request confirmation of whether a controller processes their personal data and obtain a copy of that data in a portable format.
Right to Correction and Deletion
A consumer may request correction of inaccurate data or deletion of personal data a controller holds. Controllers must respond within 45 days, with a possible 45-day extension if reasonably necessary.
Right to Opt Out
Consumers may opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects. Controllers must honour Global Privacy Control and other universal opt-out signals as valid opt-out requests.
There is no right to opt out of data processing for purposes that meet the "reasonably necessary" standard, because MODPA already limits collection to that standard by default.
Data Protection Assessments
MODPA requires controllers to conduct data protection assessments before engaging in certain types of processing. These assessments apply to:
- Processing personal data for targeted advertising
- Selling personal data
- Processing sensitive data
- Profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial or physical injury, or intrusion on solitude or seclusion
The assessment must weigh the benefits of processing against the risks to consumer rights. Controllers should document these assessments and retain them, as the Attorney General may request them during an investigation. Organisations already conducting data protection impact assessments under GDPR will find the format familiar, though the legal tests differ.
Enforcement and Penalties
The Maryland Attorney General, through the Consumer Protection Division, holds exclusive enforcement authority. Before initiating legal action, the AG must issue a notice of violation. The controller then has 60 days to cure the violation.
This cure period is not guaranteed. The AG may consider several factors when deciding whether to offer it, including the number of violations, the size of the business, and the likelihood of public harm. After 1 April 2027, the optional cure period sunsets entirely, and the AG gains full discretion to proceed directly to enforcement.
| Penalty Type | Amount |
|---|---|
| Initial violation | Up to $10,000 per violation |
| Repeat violation | Up to $25,000 per violation |
The AG may also seek injunctive relief and recover attorney's fees and costs. Given the per-violation structure, non-compliance across thousands of consumer records could result in substantial total fines.
How MODPA Compares to Other State Privacy Laws
The table below highlights where MODPA diverges from other major US state privacy frameworks.
| Feature | MODPA (Maryland) | CCPA/CPRA (California) | VCDPA (Virginia) |
|---|---|---|---|
| Data minimisation | Reasonably necessary standard | No standalone requirement | Limited to disclosed purpose |
| Sensitive data sale | Prohibited entirely | Permitted with opt-in consent | Permitted with opt-in consent |
| Children's age threshold | Under 18 | Under 16 | Under 13 (aligned with COPPA) |
| Knowledge standard for minors | Knew or should have known | Actual knowledge | Actual knowledge |
| Universal opt-out signals | Required | Required | Not required |
| Private right of action | No | Yes (data breaches only) | No |
| Cure period | 60 days (expires April 2027) | None (removed by CPRA) | 30 days |
What Website Owners Should Do Before April 2026
With enforcement starting 1 April 2026, organisations processing data of Maryland consumers should act now.
Audit Your Data Collection
Review every cookie, pixel, and tracking script on your site. Identify which ones collect data beyond what is strictly needed to deliver the service your visitor requested. A thorough cookie audit is a practical first step. Tools like Kukie.io's free cookie scanner can identify what your site sets before and after consent.
Review Sensitive Data Flows
Map where sensitive data categories - health information, precise geolocation, biometric identifiers - enter your systems. If any of these data types are sold or shared with third parties for advertising, those flows must stop under MODPA regardless of consent status.
Update Your Consent Mechanism
Ensure your cookie banner supports opt-out requests for targeted advertising and data sales. Recognise universal opt-out signals such as GPC. If your site serves visitors under 18, suppress advertising cookies and data-sale mechanisms for those users by default.
Conduct Data Protection Assessments
If you process personal data for targeted advertising, sell data, or profile consumers, complete and document the required assessments before enforcement begins. Keep records accessible for potential AG review.
Frequently Asked Questions
When does MODPA enforcement begin?
MODPA took effect on 1 October 2025, but enforcement applies only to processing activities occurring on or after 1 April 2026. The optional 60-day cure period expires on 1 April 2027.
Does MODPA apply to small businesses?
MODPA applies to organisations that process data of at least 35,000 Maryland consumers annually (excluding payment data) or derive 20% or more of gross revenue from selling data of at least 10,000 consumers. Businesses below both thresholds are not covered.
Can I sell sensitive data if the consumer consents?
No. MODPA prohibits the sale of sensitive personal data under any circumstances, even with explicit consumer consent. This is a departure from most other US state privacy laws.
Does MODPA require a cookie consent banner?
MODPA does not specifically mandate a cookie banner, but it requires honouring opt-out requests for targeted advertising and data sales, including universal opt-out signals like GPC. A properly configured consent mechanism is the most practical way to meet these obligations.
How does MODPA protect children's data?
MODPA prohibits targeted advertising directed at consumers under 18 and bans the sale of minors' data. The law uses a "knew or should have known" standard, placing a higher burden on businesses than the actual-knowledge requirement found in most other state laws.
What penalties can the Maryland AG impose for MODPA violations?
Civil penalties of up to $10,000 per initial violation and $25,000 per repeat violation. The AG may also seek injunctive relief and recover legal costs.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or whether your data collection meets MODPA's minimisation standard, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
